Synchronizing the exchange of cryptography information between kernel drivers

ABSTRACT

Methods and apparatuses for synchronizing the exchange of cryptography information between kernel drivers. A high level application in an electronic system passes a pointer to a base driver. The pointer is a unique identifier for cryptography information, such as a Security Association (SA), that the base driver uses to populate a cryptography information table for performing cryptography operations on secure traffic data packets. If the network interface device and/or its associated driver are reset, the pointer is used to repopulate the cryptography information table with specific cryptography information needed to perform cryptography operations on the data packets.

FIELD OF THE INVENTION

[0001] The invention relates to processing of cryptography information.More specifically, the invention relates to techniques for passingsecurity association information between kernel drivers.

BACKGROUND OF THE INVENTION

[0002] Data transferred over a network can be encrypted to protect itsconfidentiality and integrity. Because many different encryption methodsare used, data packets contain an index into a table of structurescontaining cryptography (crypto) information necessary to indicate tothe receiving system how to decrypt the data. The crypto information canbe contained in a data structure called a security association (SA).Network interface devices in the transmitting and receiving systemsperform crypto operations (e.g., encryption, decryption, authentication)on the data packets based on the crypto information in the SA.

[0003] A device driver directs how the network interface devices willperform crypto operations. The device driver stores in system memory atable of crypto information necessary for the network interface devicesto perform crypto operations on data packets. The information may alsobe stored in tables on the devices. These tables can include, forexample, unique identifiers for the cryptography data structures,cryptography keys, source addresses, destination addresses, networkprotocol types, and other information related to crypto operations.

[0004] One technique for populating a table of crypto information is fora high level application such as an operating system (OS) to control theprocess. With this technique, the high level application is responsiblefor maintaining consistency of the security state between the uppersystem layers (e.g., OS, high level applications) and the lower systemlayers (e.g., base drivers, hardware devices) that perform cryptooperations. The high level application manages a unique handle that thedriver creates for each data structure of crypto information which ispassed to the intermediate security layer and/or base driver. Alloperations on data packets by the intermediate security layer driverand/or network interface device drivers and/or network interface devicesreferences crypto information with the handle. If, for some reason, thenetwork interface device and/or its associated driver is reset, the datain the crypto information tables is lost and the handles must bediscarded. The high level application is then responsible for passingthe crypto information to the base driver again so that it canrepopulate the crypto information tables.

[0005] Some operating systems, for example, Windows® 2000 and Windows®XP, both available from Microsoft Corporation, guarantee that the cryptoinformation tables are populated. Thus, if a network interface deviceand/or its associated device driver is reset, the operating system willpass the crypto information to the base drivers in order to allow therepopulation of the tables contained by the network interface deviceand/or its associated driver. One shortfall of such a technique is aninefficient use of resources because the entire table is repopulated,even though some of the information may not be used in the future.Another shortfall occurs with dynamic installation or removal of anetwork interface device; crypto information can be lost, or a devicemay be unable to acquire the proper security state. Another shortfall isthat attempts to store crypto information in a network interface deviceand its associated driver during reset often fails, which requiresrepeated tries to store the information and/or failure to store theinformation.

BRIEF DESCRIPTION OF THE DRAWINGS

[0006] The invention is illustrated by way of example, and not by way oflimitation, in the figures of the accompanying drawings in which likereference numerals refer to similar elements.

[0007]FIG. 1 is one embodiment of a block diagram of an electronicsystem.

[0008]FIG. 2 is one embodiment of a block diagram of an electronicsystem coupled to a network through a network interface.

[0009]FIG. 3 is one embodiment of a block diagram of an intermediatedriver agent.

[0010]FIG. 4 is one embodiment of a block diagram of a base driveragent.

[0011]FIG. 5 is one embodiment of a block diagram of a data packet.

[0012]FIG. 6 is one embodiment of a flow diagram for transmission of adata packet from an electronic system implementing a layered securitydriver.

[0013]FIG. 7 is one embodiment of a flow diagram for reception of a datapacket by an electronic system implementing a layered security driver.

DETAILED DESCRIPTION

[0014] Methods and apparatuses for passing cryptography informationbetween kernel drivers are described. In the following description, forpurposes of explanation, numerous specific details are set forth inorder to provide a thorough understanding of the invention. It will beapparent, however, to one skilled in the art that the invention can bepracticed without these specific details. In other instances, structuresand devices are shown in block diagram form in order to avoid obscuringthe invention.

[0015] Reference in the specification to “one embodiment” or “anembodiment” means that a particular feature, structure or characteristicdescribed in connection with the embodiment is included in at least oneembodiment of the present invention. Thus, the appearances of the phrase“in one embodiment” appearing in various places throughout thespecification are not necessarily all referring to the same embodiment.Likewise, the appearances of the phrase “in another embodiment,” or “inan alternate embodiment” appearing in various places throughout thespecification are not all necessarily all referring to the sameembodiment.

[0016] Briefly, techniques for passing cryptography (crypto)information, such as Security Associations (SAs), necessary to performcrypto operations (e.g., encryption, decryption, authentication) onsecure traffic data packets between kernel drivers are described. Forexample, a Security Association (SA) is a data structure of cryptoinformation used in the Internet Protocol (IP) Security (Ipsec)standard, IP Security Internet Engineering Task Force (IETF) Request forComments (RFC) 2401, published November 1998, that is passed betweenlayers of an electronic system implementing IPsec. A pointer to thecrypto information is created and passed to a base driver. The basedriver uses the pointer to populate a crypto information table to enablea network interface device to perform crypto operations on the datapackets. In one embodiment, if the network interface device and/or itsassociated driver are reset, the pointer is used to repopulate thecrypto information table as needed with the specific data structures ofcrypto information needed to perform crypto operations on the datapackets.

[0017] Security status information is indicated from a base driver to anintermediate driver. The intermediate driver uses the security statusinformation to determine whether processing should be performed on thepacket. In one embodiment, the security status information indicatesthat crypto information necessary to process a data packet was missing.In one embodiment, the intermediate driver then passes the missingcrypto information to the base driver.

[0018]FIG. 1 is one embodiment of an electronic system. Electronicsystem 100 may be, for example, a computer, a Personal Digital Assistant(PDA), a set top box, or any other electronic system. System 100includes bus 101 or other communication device to communicateinformation, and processor 102 coupled with bus 101 to processinformation and to execute instructions. System 100 further includesmemory 103, coupled to bus 101 to store information and instructions tobe executed by processor 102. Memory 103 may also be used to storetemporary variables or other intermediate information during executionof instructions by processor 102. Memory 103 may include random accessmemory (RAM), read-only memory (ROM), flash, or other static or dynamicstorage media.

[0019] User interfaces 104 are coupled to bus 101 too allow interactionwith a user. User interfaces 104 can be, for example, input devices(e.g., mouse, keyboard, touchpad, etc.) and/or output devices (e.g.,cathode ray tube (CRT) monitor, liquid crystal display (LCD), etc.).Mass storage 105 can be coupled to system 100 to provide instructions tomemory 103. Mass storage 105 can be, for example, a magnetic disk oroptical disc and its corresponding drive, a memory card, or anotherdevice capable of storing machine-readable instructions. Networkinterfaces 106 can be coupled to bus 101 to enable system 100 tocommunicate with other electronic systems via a network.

[0020] Driver agent 107 maybe coupled to system 100 to perform driverfeatures in hardware. Driver agent 107 may be an Application SpecificIntegrated Circuit (ASIC), a special function controller or processor, aField Programmable Gate Array (FPGA), or other hardware device toperform the functions of a driver. Driver agent 107 is not a necessarypart of system 100. In one embodiment, system 100 may contain a driveragent that provides system control over network interfaces 106, forexample, a Network Interface Card (NIC) driver controlling a NIC.

[0021] Network interfaces 106 couples electronic system 100 to otherelectronic systems over a network. In one embodiment, non-secure trafficstreams are transmitted and/or received by system 100 through networkinterfaces 106. Similarly, secure traffic streams can be transmittedand/or received by system 100 through network interfaces 106.Transmitting secure traffic streams requires that crypto operations beperformed on data packets to authenticate and/or encrypt data beforebeing transmitted. Receiving secure traffic streams requires that cryptooperations be performed on data packets to authenticate and/or decryptdata after being received. The crypto operations can be performed bynetwork interfaces 106. For example, a driver agent can direct networkinterfaces 106 decrypt a received data packet. The driver agent can bedriver agent 107 or a software driver agent incorporated from a seriesof machine-readable instructions stored within memory 103.

[0022] Instructions can be provided to memory 103 from a storage device,such as magnetic disk, CD-ROM, DVD, via a remote connection (e.g., overa network), etc. In alternative embodiments, hard-wired circuitry can beused in place of or in combination with software instructions to enablesystem 100 to transfer crypto information from an intermediate driveragent to a base driver agent as described below. Thus, the electronicsystem depicted above is not limited to any specific combination ofhardware circuitry and software structure.

[0023] Instructions can be provided to memory 103 from a form ofmachine-accessible medium. A machine-accessible medium includes anymechanism that provides (i.e., stores and/or transmits) information in aform readable by a machine (e.g., a computer). For example, amachine-accessible medium includes read only memory (ROM); random accessmemory (RAM); magnetic disk storage media; optical storage media; flashmemory devices; electrical, optical, acoustical or other form ofpropagated signals (e.g., carrier waves, infrared signals, digitalsignals); etc.

[0024]FIG. 2 is one embodiment of a block diagram of an electronicsystem coupled to a network through a network interface. In oneembodiment, Network Interface (NI) 210 is a communication interface thatenables system 200 to communicate to other electronic systems coupled tonetwork 220. For example, NI 210 can be a NIC. In one embodiment, datapackets are received from network 220 into NI 210. Similarly, datapackets can be transmitted to network 220 from NI 210. In oneembodiment, cache 211 contains a table of crypto information necessaryto perform crypto operations on the packets. For example, NI 210 can usedata stored in cache 211 to decrypt a packet after it receives thepacket.

[0025] Memory 103 contains operating system (OS) 231 which directsoperations of system 200. In one embodiment, OS 231 is the highest layerof control of system 200. Intermediate driver agent 233 and base driveragent 235 are lower layers of system control. In one embodiment, OS 231delivers crypto information to intermediate driver agent 233. In anotherembodiment, applications 232 can contain agents of a higher layer ofcontrol than intermediate driver agent 233 and deliver cryptoinformation to intermediate driver agent 233. Applications 232 can alsocontain other programs (e.g., word processor(s), electronic mail(e-mail) programs).

[0026] Although referred to herein as delivering and/or passing cryptoinformation between an intermediate driver agent and a base driveragent, delivering and/or passing crypto information as described can bepracticed by other system layers. For example, an OS may deliver cryptoinformation to a base driver agent. In another example, a base driveragent may pass information to a high level application. In general,system layers applications and/or system elements that control the flowof operations in an electronic system, from a low level layer, such asnetwork hardware, to a high level layer, such as an OS.

[0027] In one embodiment, memory 103 contains security associationtables 233 and 236, which are data structures of SAs. Memory 103 maycontain other tables of crypto information like SA table 234 and SAtable 236, which are examples of tables of crypto information. Memory103 can also contain intermediate driver agent 233 and/or base driveragent 235. In one embodiment, intermediate driver agent 233 createspointers to crypto information in SA table 234. In one embodiment,intermediate driver agent 233 creates handles for the crypto informationdata structures that are unique identifiers for the SAs. The pointerscan be used to access the data structures of crypto information,including the unique identifiers. Intermediate driver agent 233 passesthe pointers to base driver agent 235. For example, a packet created fortransmission by the upper system layers is passed by intermediate driveragent 233 to base driver agent 235 with a pointer to the memory locationof the SA associated with the data packet. Base driver agent 235 canthen use the pointer access the crypto information in SA table 234.

[0028] Base driver agent 235 maintains SA table 236 for directing theprocessing of secure traffic data streams. In one embodiment, basedriver agent 235 uses the pointer to populate SA table 236. For example,base driver agent 235 uses the pointer to access SA table 234 torepopulate SA table 236 with SAs if the information in the table islost. For example, the data in SA table 236 is lost if NI 210 is reset.In one embodiment, base driver agent 235 uses the pointer to populatecache 211 if the data in cache 211 is lost, such as if NI 210 or itsassociated base driver agent is reset.

[0029] In one embodiment, base driver agent 235 uses the pointer toobtain crypto information from SA table 234 if the data necessary toperform crypto operations on a data packet is missing from SA table 236.For example, an NI device may be dynamically added to system 200 whosebase driver agent may be unable to acquire the proper security state. Inanother example, an NI device may be dynamically removed from system200. In another example, a base driver agent may be dynamically removedfrom system 200. If the information necessary to process data packetsfrom secure traffic streams is not found in SA table 236, theinformation can be obtained with the pointer.

[0030] In one embodiment, base driver agent 235 uses the pointerassociated with a packet to access crypto information necessary toperform crypto operations on data packets from SA table 234 if adding adata structure of crypto information to SA table 236 fails. For example,in an IPsec implementation, adding SAs during reset often fails.Tracking when a network interface device or its associated driver isready to receive the data structures of crypto information is difficult.In prior art, if the data in SA table 236 is lost, missing, or unable tobe added, the NI device will be unable to process data packets.

[0031]FIG. 3 is one embodiment of a block diagram of an intermediatedriver agent. Control logic 310 directs the flow of operation of driveragent 300. In one embodiment, control logic 310 is a series of softwareinstructions to perform logic operations. In another embodiment, controllogic 310 can be implemented by hardware control logic, or a combinationof hardware-based control logic and software instructions.

[0032] System interfaces 340 provide a communications interface betweenintermediate driver agent 300 and an electronic system. For example,intermediate driver agent 300 can be part of a computer system andsystem interfaces 340 provide a communications interface betweenintermediate driver agent 300 and the computer system via a system bus.Thus, control logic 310 can receive a series of instructions fromapplication software external to intermediate driver agent 300.

[0033] Intermediate driver agent 300 is not limited to being local to anelectronic system. For example, system interfaces 340 may provide acommunications interface between intermediate driver agent 300 and anelectronic system through a network. In one embodiment, intermediatedriver agent 300 may contain applications 320 to provide internalinstructions to control logic 310. Applications 320 are not necessary tothe function of intermediate driver agent 300.

[0034] Packet classification feature 351 enables intermediate driveragent 300 to match a data packet with its corresponding cryptoinformation from a table of crypto information so that the data packetcan be processed correctly. For example, packet classification feature351 can enable intermediate driver agent 300 to direct a base driveragent which SA to use to encrypt a data packet prior to transmission ofthe data packet.

[0035] Packet transfer feature 352 enables intermediate driver agent 300to transfer data packets to/from other system layers. For example,intermediate driver agent driver agent 300 can pass a data packet to betransmitted to a base driver agent. In another example, a high-levelsystem layer such as an OS can create a data packet for transmission andpass the packet down to intermediate driver agent 300. Similarly, a basedriver agent can pass a packet of ingress data up to intermediate driveragent 300.

[0036] Pointer feature 353 enables driver agent 300 to create a pointerto memory location of crypto information. For example, pointer feature353 enables intermediate driver agent 300 to create a pointer to thememory location of crypto information, such as data in an SA table. Thepointer can be passed to a base driver agent and used to access a uniqueidentifier for the crypto information stored with the information in acrypto information table. The base driver agent can then use the pointerto access crypto information necessary to perform crypto operations ondata packets.

[0037] Packet classification feature 351, packet transfer feature 352,and pointer feature 353 can exist independently of and/or be external tointermediate driver agent 300. Thus, driver engine 350 may exist as amore complex or less complex embodiment, containing some, all, oradditional features to those represented in FIG. 3. In one embodiment,intermediate driver agent 300 is part of a layered security driver. Forexample, intermediate driver agent 300 can be an Advanced NetworkingServices (ANS) driver as part of a Bump In The Stack (BITS) or Bump InThe Wire (BITW) layered security driver implementation. On transmit, aTransmission Control Protocol/Internet Protocol (TCP/IP) stack may passa data packet to an ANS driver, which then classifies the packet withits crypto information, and then passes the packet down the line forencryption and transmission. On receive, an NI device driver passes areceived data packet to an ANS driver, which can then process the packetand/or pass it up to a TCP/IP stack.

[0038]FIG. 4 is one embodiment of a block diagram of a base driveragent. Control logic 410 directs the flow of operation of base driveragent 400. In one embodiment, control logic 410 is a series of softwareinstructions to perform logic operations. In another embodiment, controllogic 410 can be implemented by hardware control logic, or a combinationof hardware-based control logic and software instructions.

[0039] System interfaces 440 provide a communications interface betweenbase driver agent 400 and an electronic system. For example, base driveragent 400 can be part of a computer system and system interfaces 440provide a communications interface between base driver agent 400 and thecomputer system via a system bus. Thus, control logic 410 can receive aseries of instructions from application software external to base driveragent 400. Base driver agent 400 is not limited to being local to anelectronic system. For example, system interfaces 440 may provide acommunications interface between base driver agent 400 and an electronicsystem through a network. In one embodiment, base driver agent 400contains applications 420 to provide internal instructions to controllogic 410. Applications 420 are not necessary to the function of basedriver agent 400.

[0040] Dereferencing feature 451 enables base driver agent 400 toutilize a pointer to acquire information referenced by the pointer. Forexample, dereferencing feature 451 enables base driver agent 400 todereference a pointer to information in a table of crypto informationpassed by a higher layer driver agent to acquire the SA informationnecessary to direct processing of a data packet. In another example,dereferencing feature 451 enables base driver agent 400 to access the SAinformation necessary to populate a table of crypto informationmaintained by base driver agent 400. In another example, dereferencingfeature 451 enables base driver agent 400 to use a pointer passed by ahigher layer to a memory location in a table of crypto information toacquire the information necessary to populate a cache on a networkinterface device. This enables population of the table and/or the cacheto be performed independently of the OS in the electronic system.Dereferencing can be performed in any manner known in the art.

[0041] Packet transfer feature 452 enables base driver agent 400 totransfer data packets to/from other system layers. For example, an NIdevice associated with base driver agent 400 can receive a data packetwhich base driver agent 400 passes up to an intermediate driver agent.The NI device could be connected to the Internet and receive a datapacket from a secure traffic stream that base driver agent 400 passes upto a higher layer of a security driver. In another example, ahigher-level system layer, such as an intermediate driver agent, canpass a data packet down to base driver agent 400 to be transmitted overa network. Thus, base driver agent 400 could be a NIC driver and an ANSdriver could pass it a data packet to be transmitted over a securetraffic network stream.

[0042] Populating feature 453 enables base driver agent 400 to populatea crypto information table with data. For example, if an NI deviceassociated with base driver agent 400 was reset, causing the data in itscrypto information table to be lost, populating feature 453 enables basedriver agent 400 to restore the data in the table. The table could be atable of SAs maintained by base driver agent 400, or optionally a cacheof SAs on a NIC. The information in the table or tables that base driveragent 400 populates enables the NIC to perform hardware offloadprocessing on data packets.

[0043] Packet status feature 454 enables base driver agent 400 toindicate to system upper layers the status of the processing of a datapacket. For example, a packet may be from a non-secure source, andpacket status feature 454 could indicate that the packet was processedwithout needing offload processing. In another example, packet statusfeature 454 may indicate that a packet was processed successfully inhardware. In another example, packet status feature 454 may indicatethat a packet was processed, but that the packet failed authentication.In another example, packet status feature 454 may indicate that thecrypto information needed to process the packet was missing.

[0044] Dereferencing feature 451, packet transfer feature 452,populating feature 453, and packet status feature 454 can existindependently of and/or be external to driver agent 400. Thus, driverengine 450 may exist as a more complex or less complex embodiment,containing some, all, or additional features to those represented inFIG. 4. In one embodiment, base driver agent 400 is part of a layeredsecurity driver. For example, base driver agent 400 can be a NIC driverin a BITS/BITW layered security driver implementation. On transmit, anANS driver may pass a data packet down to the NIC driver, which thenpasses the packet to the NIC for transmission. On receive, a NIC driverdirects how the NIC receives data packets, including directing hardwareoffload processing.

[0045]FIG. 5 is one embodiment of a block diagram of a data packet. Inone embodiment, data packet 501 is embodied in traffic stream 500. Forexample, traffic stream 500 can be a secure traffic stream used bymultiple networked electronic systems to communicate. For example,traffic stream 500 may be a network traffic stream between twoelectronic systems using the IPsec encryption standard to transfersecure information over the Internet.

[0046] In one embodiment, data packet 501 consists of header 510,cryptography information 520, and data 530. In one embodiment,cryptography information 520 consists of network protocol 521, securityparameter index 522, source identifier 523, and destination identifier524. Network protocol 521, security parameter index 522, sourceidentifier 523, and destination identifier 524 can exist independentlyof and be external to cryptography information 520. Thus, cryptographyinformation may be more or less complex, consisting of some, all, oradditional elements to those depicted in FIG. 5.

[0047] In one embodiment, cryptography information 520 is necessary foran electronic system to process data packet 501. For example, anelectronic system receiving data packet 501 using IPsec will locatecryptography information 520 to authenticate the packet and determinehow to decrypt data 530. Similarly, an electronic system transmittingdata packet 501 using IPsec will use cryptography information 520 toencrypt the data prior to transmission.

[0048]FIG. 6 is one embodiment of a flow diagram for transmission of adata packet from an electronic system implementing a layered securitydriver. Data packet 600 is generated by high level application process610 and prepared for transmission. For example, high level applicationprocess can be a TCP/IP stack. Generation and preparation of data packet600 can include, for example, creating bit patterns to represent a datacommunication, and bit patterns to represent security informationnecessary to perform crypto operations on data packet 600.

[0049] Data packet 600 is passed to intermediate driver agent 620.Intermediate driver agent 620 can be, for example, an ANS driver as partof a BITS/BITW layered security driver implementation. In oneembodiment, intermediate driver agent 620 maintains SA table 621, whichis a table of SAs that contains all the information necessary to performcrypto operations on data packet 600. Although FIG. 6 depicts datastructures of crypto information as containing SAs, SA table 621 and SAtable 631 are only example embodiments of data structures of cryptoinformation, and are not limited to containing crypto information datastructures that are SAs.

[0050] Intermediate driver agent 620 provides memory management for SAtable 621, but SA table 621 does not necessarily reside in intermediatedriver agent 620. In one embodiment, intermediate driver agent 620includes packet classifier 622, which associates data packet 600 with anSA for hardware offload processing. The SA corresponds to data in SAtable 621. For example, a system TCP/IP stack may create a data packetto transmit as part of an IPsec traffic exchange. When the packet ispassed to a BITS/BITW security driver, an ANS driver will associate itwith an SA from an SA table in memory maintained by the ANS driver.

[0051] Data packet 600 is passed to base driver agent 630. Base driveragent 630 can be, for example, a NIC driver. In one embodiment,intermediate driver agent 620 passes *SA info 632 with data packet 600,*SA info 632 being a pointer to information in SA table 621corresponding to the SA associated with data packet 600. Pointer *SAinfo 632 is created by intermediate driver agent 620. Base driver agent630 accesses SA table 621 through *SA info 632 created by intermediatedriver agent 620. Creating and passing pointer *SA info 632 may beaccomplished by any manner known in the art.

[0052] A pointer is a reference to actual data, typically the address ofa location in memory. A pointer can be created by any function for mostdata structures or data residing in fixed memory locations. A handle isa reference to actual data that is managed by an electronic system OS.The handle can be treated as another system resource, the OS preventingconflicting memory access by multiple functions. Thus, a handle differsfrom a pointer in that the handle is controlled by the OS, whereas apointer can be created and controlled by any function. Because *SA info632 is a pointer rather than a handle, base driver agent 630 can accessthe information in SA table 621 simply by dereferencing *SA info 632.

[0053] Base driver agent also contains SA table 631, which is a table ofSAs that contain all the information necessary to perform cryptooperations on data packet 600. Base driver agent 630 provides memorymanagement for SA table 631, but SA table 631 does not necessarilyreside in base driver agent 630. In one embodiment, base driver agent630 uses pointer to *SA info 632 to populate SA table 631. For example,if the NI device associated with base driver agent 630 was reset,causing the information in SA table 631 to be lost, base driver agent630 could use pointer *SA info 632 to acquire the specific SAinformation necessary to perform crypto operations on data packet 600 torepopulate the table with that information. Base driver agent 630 canalso use *SA info 632 to acquire the SA information necessary to processdata packet 600. For example, if base driver agent 630 was reset, theinformation in SA table 631 would be lost, and the SA necessary toprocess data packet 600 could be acquired using *SA info 632. In anotherexample, if NI 640 was dynamically installed and was unable to acquirethe correct SA state, base driver agent 630 could use *SA info 632 toacquire the SA information necessary to perform crypto operations.

[0054] Data packet 600 is passed to NI 640 by base driver agent 630. Inone embodiment, NI 640 has SA cache 641 that contains SA information. Inone embodiment, NI 640 processes data packet 600 with crypto informationreceived from base driver agent 630. NI 640 can then transmit datapacket 600 over a network (not depicted in FIG. 6). For example, a datapacket can be transmitted over the Internet on a secure traffic streamusing IPsec. Some operating systems, for example, Windows® 2000 andWindows® XP, both available from Microsoft Corporation, guarantee thatthe SA tables are populated. This means that if SA table 631 loses itdata, to maintain consistency with SA table 621 and the OS, the entirecache must be repopulated with data guaranteed by the OS to be in thetables, whether or not the data will be used in the future to performcrypto operations. One advantage to the intermediate driver agent 620passing a pointer to base driver agent 630, is that if SA table 631loses its data, the table can be repopulated as SAs are needed.

[0055]FIG. 7 is one embodiment of a flow diagram for reception of a datapacket by an electronic system implementing a layered security driver.Data packet 700 is received by NI 710 from a network (not depicted inFIG. 7). For example, data packet 700 can be part of a secure networkstream from the Internet using IPsec. In one embodiment, NI 710 checksdata packet 700 for its crypto information to determine how to performcrypto operations on data packet 700, such as authentication ordecryption. If the crypto information associated with data packet 700 isin SA cache 711, NI 710 will extract crypto info 712. Although FIG. 7depicts data structures of crypto information as containing SAs, SAcache 711, SA table 721, and SA table 731 are only example embodimentsof data structures of crypto information, and are not limited tocontaining crypto information data structures that are SAs. In oneembodiment, NI 710 uses crypto info 712 to perform hardware offloadprocessing on data packet 700 prior to passing the received data packet700 to base driver agent 720. In another embodiment, the SA necessaryfor performing crypto operations is not in cache 711, and NI 710 passesdata packet 700 to base driver agent 720 without processing the packet.

[0056] Base driver agent 720 can be, for example, a NIC driver. In oneembodiment, base driver agent 720 contains SA table 721, which is atable of SAs that contain all the information necessary to performcryptography operations on data packet 700. Base driver agent 720provides memory management for SA table 721, but SA table 721 does notnecessarily reside in base driver agent 720. In one embodiment, basedriver agent 720 checks SA table 720 for the SA associated with datapacket 700. If it is not found, it can, for example, create a messageindicating that the SA for that secure traffic stream is missing.

[0057] In one embodiment, base driver agent 720 creates SA status 721,which is status information about the processing of data packet 700. Inone embodiment, SA status 722 indicates one of four predeterminedmessages regarding the processing of data packet 700. For example, SAstatus 722 may indicate that the packet was processed successfullywithout requiring hardware offloading. In another example, SA status 722may indicate that the packet was processed successfully by hardware. Inanother example, SA status 722 may indicate that the packet wasprocessed, but that the packet failed to pass authentication. In anotherexample, SA status 722 may indicate that the packet could not beprocessed because there was a missing SA.

[0058] Base driver agent 720 passes data packet 700 up to intermediatedriver agent 730. In one embodiment, intermediate driver agent 730contains packet classifier 732. In one embodiment, intermediate driveragent 730 contains SA table 731. Packet classifier 732 checks datapacket 700 for its SA information and matches it to a corresponding SAin SA table 731. In one embodiment, intermediate driver agent 730 usesthe information in SA status 722 passed by base driver agent 720 to makedecisions regarding the processing of data packet 700. For example, ifthe message of SA status 722 is that the data packet was processedsuccessfully, or that it was processed but failed to passauthentication, no more processing will be performed on data packet 700,and it can be indicated by driver agent 730 to the upper layers.

[0059] In another example, if the message of SA status 722 is that thedata packet could not be processed because the SA was missing,intermediate driver agent 730 directs the processing of data packet 700.For example, intermediate driver agent 730 may direct the processing ofdata packet 700 by software processing methods known in the art. Inanother example, intermediate driver agent 730 may direct the processingof data packet 700 by hardware processing methods known in the art.Intermediate driver agent 730 may also choose to add the SA for datapacket 700 to SA table 721 and/or SA cache 711 so that future datapackets using that SA can be processed with hardware.

[0060] In one embodiment, intermediate driver agent 730 indicates datapacket 700 to system upper layers. For example, intermediate driveragent 730 may be an ANS driver that is the top layer of a BITS/BITWsecurity driver implementation. Thus, intermediate driver agent 730 maypass data packet 700 to a system upper layer as conventional in knownBITS/BITW implementations. In one embodiment, data packet 700 is passedto high level application process 740. High level application process740 can be, for example, a TCP/IP stack.

What is claimed is:
 1. A method comprising: associating cryptographyinformation with a data packet to be used to perform cryptographyoperations on the data packet; storing the cryptography information inmemory; generating a pointer to a memory location for the cryptographyinformation; passing the pointer to the cryptography information from afirst system layer to a second system layer; accessing the cryptographyinformation not stored in the second system layer using the pointer;performing cryptography operations on the data packet; and transmittingthe data packet.
 2. The method of claim 1 wherein the first system layercomprises an intermediate driver agent.
 3. The method of claim 1 whereinthe second system layer comprises a base driver agent.
 4. The method ofclaim 1 wherein the cryptography information comprises one or more of: aunique identifier, a network protocol associated with the data packet, asecurity parameter index, cryptographic keys, a source identifier, and adestination identifier.
 5. The method of claim 1 wherein thecryptography information comprises a security association.
 6. The methodof claim 1 wherein the pointer is used to cache the cryptographyinformation on network hardware.
 7. The method of claim 1 whereinaccessing the cryptography information not stored in the second systemlayer is performed by the second system layer to populate a cryptographyinformation table.
 8. The method of claim 7 wherein the population ofthe cryptography information table is performed when cryptographyinformation for the data packet is needed for network hardware toperform cryptography operations on the data packet.
 9. A methodcomprising: receiving a data packet; associating cryptographyinformation with the data packet, the cryptography information to beused to perform cryptography operations on the data packet; generating amessage indicating that the cryptography information necessary toperform cryptography operations on the data packet is not stored in acryptography information table; and passing the message from a firstsystem layer to a second system layer.
 10. The method of claim 9 whereinthe first system layer comprises a base driver agent.
 11. The method ofclaim 9 wherein the second system layer comprises an intermediate driveragent.
 12. The method of claim 9 wherein the cryptography informationcomprises one or more of: a unique identifier, a network protocolassociated with the data packet, a security parameter index,cryptographic keys, a source identifier, and a destination identifier.13. The method of claim 9 wherein the cryptography information comprisesa security association.
 14. The method of claim 9 further comprising thesecond system layer passing cryptography information to the first systemlayer to populate the cryptography information table.
 15. The method ofclaim 14 wherein the second system layer passing cryptographyinformation to populate the cryptography information table occurs onlyas the cryptography information is needed to perform cryptographyoperations on a data packet.
 16. The method of claim 9 wherein passingthe message causes the second system layer to determine which ofmultiple methods of data packet processing should be used to process thedata packet.
 17. An article comprising a machine-accessible medium toprovide machine-readable instructions that, when executed, cause one ormore electronic systems to: associate cryptography information with adata packet to be used to perform cryptography operations on the datapacket; store the cryptography information in memory; generate a pointerto a memory location for the cryptography information; pass the pointerto the cryptography information from a first system layer to a secondsystem layer; access the cryptography information not stored in thesecond system layer using the pointer; perform cryptography operationson the data packet; and transmit the data packet.
 18. The article ofclaim 17 wherein the pointer is used to cache the cryptographyinformation on network hardware.
 19. The article of claim 17 whereinaccessing the cryptography information not stored in the second systemlayer is performed by the second system layer to populate a cryptographyinformation table.
 20. The article of claim 19 wherein the population ofthe cryptography information table is performed when cryptographyinformation for the data packet is needed for network hardware toperform cryptography operations on the data packet.
 21. An articlecomprising a machine-accessible medium to provide machine-readableinstructions that, when executed, cause one or more electronic systemsto: receive a data packet; associate cryptography information with thedata packet, the cryptography information to be used to performcryptography operations on the data packet; generate a messageindicating that the cryptography information necessary to performcryptography operations on the data packet is not stored in acryptography information table; and pass the message from a first systemlayer to a second system layer.
 22. The article of claim 21 furthercomprising the second system layer passing cryptography information tothe first system layer to populate the cryptography information table.23. The article of claim 22 wherein the second system layer passingcryptography information to populate the cryptography information tableoccurs only as the cryptography information is needed to performcryptography operation on the data packet.
 24. The article of claim 21wherein passing the message causes the second system layer to determinewhich of multiple methods of data packet processing should be used toprocess the data packet.
 25. An electronic data signal embodied in adata communications medium shared among a plurality of network devicescomprising sequences of instructions that, when executed, cause one ormore electronic systems to: associate cryptography information with adata packet to be used to perform cryptography operations on the datapacket; store the cryptography information in memory; generate a pointerto a memory location for the cryptography information; pass the pointerto the cryptography information from a first system layer to a secondsystem layer; access the cryptography information not stored in thesecond system layer using the pointer; perform cryptography operationson the data packet; and transmit the data packet.
 26. The electronicdata signal of claim 25 wherein the pointer is used to cache thecryptography information on network hardware.
 27. The electronic datasignal of claim 25 wherein accessing the cryptography information notstored in the second driver agent is performed by the second systemlayer to populate a cryptography information table.
 28. The electronicdata signal of claim 27 wherein the population of the cryptographyinformation table is performed when cryptography information for thedata packet is needed for network hardware to perform cryptographyoperations on the data packet.
 29. An electronic data signal embodied ina data communications medium shared among a plurality of network devicescomprising sequences of instructions that, when executed, cause one ormore electronic systems to: receive a data packet; associatecryptography information with the data packet, the cryptographyinformation to be used to perform cryptography operations on the datapacket; generate a message indicating that the cryptography informationnecessary to perform cryptography operations on the data packet is notstored in a cryptography information table; and pass the message from afirst system layer to a second system layer.
 30. The electronic datasignal of claim 29 further comprising the second system layer passingcryptography information to the first system layer to populate thecryptography information table.
 31. The electronic data signal of claim30 wherein the second system layer passing cryptography information topopulate the cryptography information table occurs only as thecryptography information is needed to perform cryptography operations ona data packet.
 32. The electronic data signal of claim 29 whereinpassing the message causes the second system layer to determine which ofmultiple methods of data packet processing should be used to process thedata packet.
 33. An apparatus comprising a first system layer coupled toa second system layer, the first system layer to store cryptographyinformation in memory, and to generate and to pass to the second systemlayer a pointer to cryptography information stored in memory, thecryptography information necessary to perform cryptography operations ona data packet, the second system layer to access the cryptographyinformation not stored in the second system layer using the pointer. 34.The apparatus of claim 33 wherein the first system layer comprises anintermediate driver agent.
 35. The apparatus of claim 33 wherein thesecond system layer comprises a base driver agent.
 36. The apparatus ofclaim 33 wherein the pointer is used to cache the cryptographyinformation on network hardware.
 37. The apparatus of claim 33 whereinaccessing the cryptography information not stored in the second systemlayer is performed by the second system layer to populate a cryptographyinformation table.
 38. The apparatus of claim 37 wherein the populationof the cryptography information table is performed when cryptographyinformation for the data packet is needed for network hardware toperform cryptography operations on the data packet.
 39. An apparatuscomprising a first system layer coupled to a second system layer, thefirst system layer to generate a message indicating that cryptographyinformation necessary to perform cryptography operations on a datapacket is not stored in a cryptography information table, and to pass tothe second system layer the message.
 40. The apparatus of claim 39wherein the first system layer comprises a base driver agent.
 41. Theapparatus of claim 39 wherein the second system layer comprises anintermediate driver agent.
 42. The apparatus of claim 39 furthercomprising the second system layer passing cryptography information tothe first system layer to populate the cryptography information table.43. The apparatus of claim 42 wherein the second system layer passingcryptography information to populate the cryptography information tableoccurs only as the cryptography information is needed to performcryptography operations on the data packet.
 44. The apparatus of claim39 wherein passing the message causes the second system layer todetermine which of multiple methods of data packet processing should beused to process the data packet.